How to Protect Yourself from the Latest Gmail Security Threat

Gmail has been rocked by a new security threat that’s so sneaky it’s left the experts baffled. On the face of it it’s a classic phishing scam, redirecting you from your email to a malicious page that steals your Google login information, but this one has an extra trick up its sleeve. Here’s everything you need to know to protect yourself from this scam and others like it.

How does it work?

Like most phishing scams, this one works by faking legitimacy. You receive an email in your inbox that contains a PDF linking you to a page posing as a Gmail login page. You enter your information into it, and hackers have instant access to your Gmail account.

What’s so special about this one?

Phishing scams are commonplace. Look through your junk mail, and you might find one of them sitting around, telling you that there’s something urgent that needs your attention on your eBay, PayPal, email, or other account. Even though they have the logos and everything you’d expect from the actual site, the giveaway is in the email address from which it was sent, which usually doesn’t resemble that of the site. In addition, your browser will likely detect that it wants to send you to a fake site.

But this scam circumvents your browser’s phishing detection using a trick called “Data URL” which takes you to a seemingly legitimate site, complete with “https://accounts.google.com/ServiceLogin?service=mail” visible in the middle of its URL. It’s convincing not only for your browser but also for you as a user.

How to avoid it

One thing that should reassure you about phishing scams is that they can’t do anything if you don’t give them any of your personal information. Everything is in your hands! And, as a general rule, you should never open attachments you weren’t expecting to receive, sent to you by sites claiming to be ones you trust.

What if I think I’ve fallen for the scam?

If you think you’ve given your details over to this (or any other) scam, the negative impact won’t be clear straight away. The idea behind hackers using your Gmail account is that they can then access all kinds of sensitive information about your identity, bank details, Google Drive files, and so on, then sell your information, make online purchases, or other illicit activities.

The very first thing you should do is change your password, which will force every user on every device that the account is accessible on to re-enter it (which the hackers won’t be able to do because they no longer know it).

Next, enable two-factor authentication for your Google account by going to this page. This will require any sign-in to your Google to go through the extra layer of sending a code to your phone, which you type in after entering your Google password.

As your email address may have been used to forward the scam to people in your Google contacts, you should send out a mass email warning people that you may have been the victim of a hack and to not open any strange emails they’ve received from you.

Finally, it’s ESSENTIAL that you have a different password for each of your accounts. If you find the prospect of that a bit intimidating, you can use a password manager to generate different ones for you and store them safely in its vault.

Conclusion

This latest phishing scam is a clever variant on an old trick, but many of the same rules apply. To some of you, this may sound like obvious safety advice, but as long as people keep falling for these, then it’s worth re-emphasizing the things you can do to stay safe.

6 comments

I was aware of the new Gmail Security threat because it was making so much roundup around the Social Media Platform. But the Irony was that none of the Post actually put the actual solution for that threat. Finally, got what I need to do to protect my email account from this latest Security threat, Cheers.

“there’s something urgent that needs your attention on your eBay, PayPal, email, or other account. ” Know and remember the sites you have account(s) with. If you won’t remember, write them down. If, out of the blue, you received an email from a porno site informing you that there was a problem with your account, wouldn’t you automatically delete it or send it to Spam? Then why mindlessly open an email from a company you know you do not deal with? If you do have an account with a company and you get such an email, either telephone their support number or contact them online BUT enter the URL yourself. DO NOT click on any links provided by the suspect email. Also, when you contact the real company, you can report the attempt to scam you. I’m sure they will be happy to know of it.

A couple of weeks ago, I got a spate of frantic emails, from PayPal, eBay, Amazon Facebook, Twitter and others that my account is about to be suspended and/or closed down permanently unless I updated it. Unfortunately for the scammers, I KNOW that I have no accounts with any of the companies. I was going to reply, telling them to go ahead and suspend /close my account but that would have verified for the scammers that they reached a working email address.

“Next, enable two-factor authentication for your Google account” What about the millions of people who do not own smartphones? Are they supposed to buy smartphones just for the purpose of implementing 2FA?

“you can use a password manager to generate different ones for you and store them safely in its vault.” A password manager is little more than a placebo. While it supposedly stores all your passwords safe from hackers, the password to access the password manager is exposed to hackers. If your master password is compromised, all your other passwords become useless. A Password manager is the electronic equivalent of a piece of paper in your desk drawer, listing all your passwords. In fact, I would trust the desk drawer more than a password vault. A password vault file can be accessed electronically and is obvious when one knows what to look for. A piece of paper requires physical access and is not very easy to find among the hundreds or thousands of other pieces of paper in your desk or office or home. Sometimes ‘security by obscurity’ does work better than electronic security.